U.S. declines to sign cybersecurity pact

The U.S. Monday joined Russia, North Korea and China in declining to sign a cybersecurity pact supported by 50 countries and aimed at fighting both cyberwarfare and cybercrime.

The Paris Call for Trust and Security in Cyberspace agreement, part of the Paris Peace Forum, seeks to create a cyber Geneva Conventions of sorts, laying out international laws and guidelines for cyberwarfare as well as support human rights online. It was signed by 90 charities and universities as well as more than 150 tech companies, including Google, Microsoft, IBM and Facebook.

“I appreciate the Paris initiative, however, it falls short of being the Digital Geneva Convention,” said Nick Bilogorskiy, cybersecurity strategist at Juniper Networks. “It is symbolic, but it draws attention to the problem of the systemic harm to individuals and critical infrastructure as a result of malicious cyber activities in peacetime.”

The “Paris Call for Peace and Security in Cyberspace” demonstrates “how nation-states and global entities (corporations, NGOs etc.) combine to impose control,” said Lucy Security CEO Colin Bastable, who noted the conflict is between entities wanting a regulated internet and those who don’t. “That the pact was signed by 51 countries, hundreds of companies, and 92 non-profit organization, universities, and advocacy groups indicates that there was a lot of background work being undertaken by national and global interests – you can’t assemble and align such a large group overnight.”

But Mounir Hahad, head of the Juniper Threat Labs, called the initiative “DOA (Dead On Arrival),” noting that “the non-signatories are the countries that are the most active in cyberspace in terms of intercepts, espionage and even offensive cyberwarfare.”

Calling the pact “mostly symbolic,” Paul Bischoff, privacy advocate at Comparitech.com, confirmed that the “countries who signed the pact did not agree to any specific rules, goals, or penalties. Instead, they agreed to figure all that out together at a later date.”

According to a French government website, countries signing the pact agree to:

Increase prevention against and resilience to malicious online activity;

Protect the accessibility and integrity of the Internet;

Cooperate in order to prevent interference in electoral processes;

Work together to combat intellectual property violations via the Internet;

Prevent the proliferation of malicious online programmes and techniques;

Improve the security of digital products and services as well as everybody’s “cyber hygiene”;

Clamp down on online mercenary activities and offensive action by non-state actors;

Work together to strengthen the relevant international standards.

“If you ask the Chinese government today, I expect they will tell you that they support all of these principals,” said Kothari. “Yet China continues to lead in boldfaced and brazen cyberattack activity around the world. Depending on the exact timing and sources quoted, roughly between 25 percent to over 40 percent of cyberattacks worldwide seem to involve China.” He pointed to nation-state attacks attributed to China, “such as Byzantine Hades, GhostNet, Aurora, Titan Rain, and the constant efforts of Unit 61398 of the People’s Liberation Army to hack, steal, and damage the interests of many other nations continue unabated.”

“It is a three-cornered fight – globalists who want global control, nationalists who want national control, and users who want personal control,” said Bastable. “We should not seek reconciliation in this conflict – conflict drives innovation. Tension between interest groups creates new technologies.”

Noting that the world is “facing a new wave of globalization that is driven by technological advances of unprecedented scale and speed. While we welcome the opportunities arising from this transformation, cybercriminals welcome them, too,” Troels Oerting, head of the Centre for Cybersecurity at the World Economic Forum, said in a release. “I’m convinced that organizations that hope to fend off these new threats on their own will pay a high price. Only through global cooperation can we hope to win the day. That’s why the Forum has chosen to support the Paris Call.”

The agreement “is replete with good intentions but likely short on practical results,” explained Pravin Kothari, CEO of CipherCloud.

Kothari called “statements of support to stop online mercenary activities and offensive activity…important and worthy of public praise and U.S. participation,” but noted that without an “operational legal framework” the Paris call can’t produce new or meaningful results.

“In my opinion, [French] President [Emmanuel] Macron knew this agreement would be signed, it is an opportunity for him and others to openly point out to the whole world who the bad players are,” Hahad said, who contended it might take a “catastrophic attack” to make “the world come to its senses,” drawing a “very strong parallel with nuclear weapons.”

Bilogorskiy called for the international community to go further. “The only effective way to prevent significant widespread attacks will be to institute a formal agreement with a global mechanism of international penalties enforced by many countries,” he said. “My hope is that the largest governments of the world will not wait for a catastrophic precipitating event to put this type of framework in place.”